Jump to content

Unable to report particular spam


ronros

Recommended Posts

I get repeated spam (phishing, I think) and am unable to report it.

This is an example

The text of the message has something to do with revalidating an email account, or else it will be terminated.

When I try to report this, there is an apparent error message:

Parsing header:
host 2a01:111:e400:7e85:0:0:0:40 (getting name) no name
host 2a01:111:e400:7e85:0:0:0:43 (getting name) no name
0: Received: from NAM04-BN8-obe.outbound.protection.outlook.com (mail-bn8nam08olkn2032.outbound.protection.outlook.com [40.92.47.32]) by mail79c26.carrierzone.com (8.14.9/8.13.1) with ESMTP id 155Flr9d022616; Sat, 5 Jun 2021 11:47:55 -0400
Hostname verified: mail-bn8nam08olkn2032.outbound.protection.outlook.com
Possible forgery. Supposed receiving system not associated with any of your mailhosts
Will not trust this Received line.
Mailhost configuration problem, identified internal IP as source
Mailhost:
Please correct this situation - register every email address where you receive spam
No source IP address found, cannot proceed.

I have tried forwarding it (as an attachment) , and, although the report is received, the message in the history is "No Reports Filed"

I've been using this service intermittently for many years, and this is the first time I've run into this kind of problem.

I'm not aware of anything on my end that has changed.

One of the suggestions in the spamcop message was Add/edit your mailhost configuration, but I'm not really sure what to do there.  There seem to be a number of Hosts/Domains all ending with `secureserver.net` which is a GoDaddy email thing.

Is this some new kind of spamming technique that SC can't resolve?  Or is there something I can be doing at my end?

Thanks.

 

Link to comment
Share on other sites

3 hours ago, ronros said:

One of the suggestions in the spamcop message was Add/edit your mailhost configuration, but I'm not really sure what to do there.

It maybe that your mailhosts has both carrierzone and outlook.com/hotmail.com.  If so, it could note the received lines as good, even when they are not.  I went in and deleted the accounts I no longer use off my mailhosts and it solved it for me.

Also, a tracking URL makes it easier to read.

Link to comment
Share on other sites

1 hour ago, gnarlymarley said:

It maybe that your mailhosts has both carrierzone and outlook.com/hotmail.com.  If so, it could note the received lines as good, even when they are not.  I went in and deleted the accounts I no longer use off my mailhosts and it solved it for me.

Also, a tracking URL makes it easier to read.

Thank you for getting back to me.

If you click on "This is an example" in my original post, it is the Tracking URL.

On the mailhost page, there is only a single mailhost name listed: Secureserver.net
and a single email address.

In the Hosts/Domains dropdown, there are many, many listed, all ending in secureserver.net.  There is a single listing for hartelius.us and I have no idea what that is (nor do I see a method of deleting it.

In the Add new hosts dropdown (which also shows a delete option) there is only a single listing of my email address and it is NOT hotmail or associated with carrierzone.

I do have a hotmail address, but I never use it or check it; I have no idea about carrierzone.

Any other thoughts

 

Edited by ronros
Link to comment
Share on other sites

1 hour ago, ronros said:

If you click on "This is an example" in my original post, it is the Tracking URL.

Yes.  I missed that last time.  The "Mailhost configuration problem" and "No source IP address found" indicate that the email does not match your mailhosts.

1 hour ago, ronros said:

Any other thoughts

My first thoughts are that this either came from a different account or else secureserver.net is removing their received lines from the email.  If this came from a different account, then you will need to go to mail hosts and click add for that email address.  If this came from a secureserver account, then the only way you can get the spammers IP is to acquire the server logs from secureserver.net.  RFC5321 explains this well in section 3.7.2, where your ISP should be adding that line so you have the IP that sent the email.

Link to comment
Share on other sites

12 hours ago, gnarlymarley said:

Yes.  I missed that last time.  The "Mailhost configuration problem" and "No source IP address found" indicate that the email does not match your mailhosts.

My first thoughts are that this either came from a different account or else secureserver.net is removing their received lines from the email.  If this came from a different account, then you will need to go to mail hosts and click add for that email address.  If this came from a secureserver account, then the only way you can get the spammers IP is to acquire the server logs from secureserver.net.  RFC5321 explains this well in section 3.7.2, where your ISP should be adding that line so you have the IP that sent the email.

I don't see how it could have come from a different account; the email client only checks the one.  But can you tell from the tracking link what email address I should add?

Also, if secureserver.net were removing the received lines, why would that only happen with email from this particular source?  Emails from other sources can be reported without issues.

Thanks,

     Ron

Link to comment
Share on other sites

2 hours ago, ronros said:

I don't see how it could have come from a different account; the email client only checks the one.  But can you tell from the tracking link what email address I should add?

Also, if secureserver.net were removing the received lines, why would that only happen with email from this particular source?  Emails from other sources can be reported without issues.

Thanks,

     Ron

looking at the whole message, it does seem that the spam came from an outlook account, so report_spam[at]hotmail.com seems to be the correct place to report for spam origin.

looking at the links in the spam, wix.com is the owner of the web IP address, so abuse[at]wix.com would be the place to report the link.

just my 2¢

 

p.s. if secureserver.net were to remove received lines it would be on them to track the origin of the spam. No MX should be removing received lines, only adding them as they pass through their "sector" to be able to trace the origin correctly. Outlook does have misconfigured mail hosts which break the tracing as the names for inbound vs. outbound are different. (at least that's the way I see it)

Edited by RobiBue
added additional remark
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...